Selected Topics

Question 1

What did we do?

Answer 1

My group assessed the monetary penalty notice from ICO to Facebook regarding the Cambridge Analytica case in which data was unlawfully used to influence on the US presidential election.

By means of an app connected to Facebook, the creator of the app, Dr. Kogan, was able to collect data from users of the app as well as the friends of those users (this data being collected without consent).

My group found that Facebook should indeed be held liable for the infringement of personal data, because the gravity of the infringement is greatly because of negligent actions from Facebook - simple adopting a Platform Policy is not enough, they would have had to monitor compliance as well.

However, Facebook should not receive the maximum fine which ICO is trying to impose on them, because of mitigating factors, in regards to Article 83.

• Dr. Kogan is a joint controller and therefor has a big degree of responsibility
• Facebook has greatly cooperated with ICO
• Facebook shut down Dr. Kogans access to the Facebook Platform as soon as they became aware of the infringement
• Facebook has adopted a thorough Platform Policy for the use of the app platform which prohibited unlawful processing of the data
• Data was only collected where the friends had not made it private.

Problems with the notice:

• It does not respect the rule of law. The notice states that it cannot be definitely proven that data from UK citizens were used in the unlawful processing, only that “some of it was likely to have been used”.
• Seems like a bit of a reach to impose maximum fine - probably an attempt to place a hit on FB and try to create a precedent.